RADIUS Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values
|
|
- Reynold Douglas
- 5 years ago
- Views:
Transcription
1 RADIUS Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values First Published: September 23, 2005 Last Updated: August 18, 2010 The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network access server and the RADIUS server by using the vendor-specific attribute (attribute 26). Attribute 26 encapsulates vendor specific attributes, thereby, allowing vendors to support their own extended attributes otherwise not suitable for general use. Finding Feature Information Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information for RADIUS Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values section on page 11. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to An account on Cisco.com is not required. Contents Information About RADIUS Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values, page 2 RADIUS Disconnect-Cause Attribute Values, page 6 Additional References, page 9 Feature Information for RADIUS Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values, page 11 Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA USA
2 Information About Information About RADIUS Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco s vendor-id is 9, and the supported option has vendor-type 1, which is named cisco-avpair. The value is a string of the following format: protocol : attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization; protocols that can be used include IP, IPX, VPDN, VOIP, SHELL, RSVP, SIP, AIRNET, OUTBOUND. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and * for optional attributes. This allows the full set of features available for TACACS+ authorization to also be used for RADIUS. For example, the following AV pair causes Cisco s multiple named ip address pools feature to be activated during IP authorization (during PPP s IPCP address assignment): cisco-avpair= ip:addr-pool=first If you insert an *, the AV pair ip:addr-pool=first becomes optional. Note that any AV pair can be made optional. cisco-avpair= ip:addr-pool*first The following example shows how to cause a user logging in from a network access server to have immediate access to EXEC commands: cisco-avpair= shell:priv-lvl=15 Attribute 26 contains the following three elements: Type Length String (also known as data) Vendor-Id Vendor-Type Vendor-Length Vendor-Data Figure 1 shows the packet format for a VSA encapsulated behind attribute 26. 2
3 Information About Figure 1 VSA Encapsulated Behind Attribute Type Length Vendor-Id Vendor-Id (cont.) Vendor-type Vendor-length Attributes-specific... (vendor-data) Note It is up to the vendor to specify the format of their VSA. The Attribute-Specific field (also known as Vendor-Data) is dependent on the vendor's definition of that attribute. Table 1 describes significant fields listed in Table 2, which lists supported vendor-specific RADIUS attributes (IETF attribute 26). Table 1 Vendor-Specific Attributes Table Field Descriptions Field Description Number All attributes listed in the following table are extensions of IETF attribute 26. Vendor-Specific Command Codes A defined code used to identify a particular vendor. Code 9 defines Cisco VSAs, 311 defines Microsoft VSAs, and 529 defines Ascend VSAs. Sub-Type Number The attribute ID number. This number is much like the ID numbers of IETF attributes, except it is a second layer ID number encapsulated behind attribute 26. Attribute The ASCII string name of the attribute. Description Description of the attribute. Table 2 Vendor-Specific RADIUS IETF Attributes Number Vendor-Specific Company Code Sub-Type Number Attribute Description MS-CHAP Attributes MSCHAP-Response Contains the response value provided by a PPP MS-CHAP user in response to the challenge. It is only used in Access-Request packets. This attribute is identical to the PPP CHAP Identifier. (RFC 2548) MSCHAP-Challenge Contains the challenge sent by a network access server to an MS-CHAP user. It can be used in both Access-Request and Access-Challenge packets. (RFC 2548) 3
4 Information About Table 2 Vendor-Specific RADIUS IETF Attributes (continued) Number Vendor-Specific Company Code Sub-Type Number Attribute Description VPDN Attributes l2tp-busy-disconnect If a vpdn-group on an LNS uses a virtual-template that is configured to be pre-cloned, this attribute will control the disposition of a new L2TP session that finds no pre-cloned interface to which to connect. If the attribute is true (the default), the session will be disconnected by the LNS. Otherwise, a new interface will be cloned from the virtual-template l2tp-cm-local-window-size Specifies the maximum receive window size for L2TP control messages. This value is advertised to the peer during tunnel establishment l2tp-drop-out-of-order Respects sequence numbers on data packets by dropping those that are received out of order. This does not ensure that sequence numbers will be sent on data packets, just how to handle them if they are received l2tp-hello-interval Specifies the number of seconds for the hello keepalive interval. Hello packets are sent when no data has been sent on a tunnel for the number of seconds configured here l2tp-hidden-avp When enabled, sensitive AVPs in L2TP control messages are scrambled or hidden l2tp-nosession-timeout Specifies the number of seconds that a tunnel will stay active with no sessions before timing out and shutting down tunnel-tos-reflect Copies the IP ToS field from the IP header of each payload packet to the IP header of the tunnel packet for packets entering the tunnel at the LNS l2tp-tunnel-authen If this attribute is set, it performs L2TP tunnel authentication l2tp-tunnel-password Shared secret used for L2TP tunnel authentication and AVP hiding l2tp-udp-checksum This is an authorization attribute and defines whether L2TP should perform UDP checksums for data packets. Valid values are yes and no. The default is no. H323 Attributes Remote-Gateway-ID (h323-remote-address) Indicates the IP address of the remote gateway Connection-ID (h323-conf-id) Setup-Time (h323-setup-time) Identifies the conference ID. Indicates the setup time for this connection in Coordinated Universal Time (UTC) formerly known as Greenwich Mean Time (GMT) and Zulu time. 4
5 Information About Table 2 Vendor-Specific RADIUS IETF Attributes (continued) Number Vendor-Specific Company Code Sub-Type Number Attribute Description Call-Origin (h323-call-origin) Call-Type (h323-call-type) Connect-Time (h323-connect-time) Disconnect-Time (h323-disconnect-time) Disconnect-Cause (h323-disconnect-caus)e Voice-Quality (h323-voice-quality) Gateway-ID (h323-gw-id) Indicates the origin of the call relative to the gateway. Possible values are originating and terminating (answer). Indicates call leg type. Possible values are telephony and VoIP. Indicates the connection time for this call leg in UTC. Indicates the time this call leg was disconnected in UTC. Specifies the reason a connection was taken offline per Q.931 specification. Specifies the impairment factor (ICPIF) affecting voice quality for a call. Indicates the name of the underlying gateway. Large Scale Dialout Attributes callback-dialstring Defines a dialing string to be used for callback data-service No description available dial-number Defines the number to dial force-56 Determines whether the network access server uses only the 56 K portion of a channel, even when all 64 K appear to be available map-class Allows the user profile to reference information configured in a map class of the same name on the network access server that dials out send-auth Defines the protocol to use (PAP or CHAP) for username-password authentication following CLID authentication. Miscellaneous Attributes Cisco-NAS-Port Specifies additional vendor specific attribute (VSA) information for NAS-Port accounting. To specify additional NAS-Port information in the form an Attribute-Value Pair (AVPair) string, use the radius-server vsa send global configuration command. Note This VSA is typically used in Accounting, but may also be used in Authentication (Access-Request) packets min-links Sets the minimum number of links for MLP. 5
6 RADIUS Disconnect-Cause Attribute Values Table 2 Vendor-Specific RADIUS IETF Attributes (continued) Number Vendor-Specific Company Code Sub-Type Number Attribute Description proxyacl#<n> Allows users to configure the downloadable user profiles (dynamic ACLs) by using the authentication proxy feature so that users can have the configured authorization to permit traffic going through the configured interfaces spi Carries the authentication information needed by the home agent to authenticate a mobile node during registration. The information is in the same syntax as the ip mobile secure host <addr> configuration command. Basically it contains the rest of the configuration command that follows that string, verbatim. It provides the Security Parameter Index (SPI), key, authentication algorithm, authentication mode, and replay protection timestamp range client-mac-address Contains the MAC address of the PPPoE client. Note This attribute is applicable only to PPP over Ethernet (PPPoE) or to PPP over ATM (PPPoA). See Configuring Router to Use Vendor-Specific RADIUS Attributes section of the Configuring RADIUS feature module for more information on configuring your NAS to recognize and use VSAs. RADIUS Disconnect-Cause Attribute Values Disconnect-cause attribute values specify the reason a connection was taken offline. The attribute values are sent in Accounting request packets. These values are sent at the end of a session, even if the session fails to be authenticated. If the session is not authenticated, the attribute can cause stop records to be generated without first generating start records. Table 3 lists the cause codes, values, and descriptions for the Disconnect-Cause (195) attribute. Note The Disconnect-Cause is incremented by 1000 when it is used in RADIUS AVPairs; for example, disc-cause 4 becomes Table 3 Disconnect-Cause Attribute Values Cause Code Value Description 2 Unknown Reason unknown. 4 CLID-Authentication-Failure Failure to authenticate number of the calling-party. 10 No-Carrier No carrier detected. Note Codes 10, 11, and 12 can be sent if there is a disconnection during initial modem connection. 6
7 RADIUS Disconnect-Cause Attribute Values Table 3 Disconnect-Cause Attribute Values (continued) Cause Code Value Description 11 Lost-Carrier Loss of carrier. 12 No-Detected-Result-Codes Failure to detect modem result codes. 20 User-Ends-Session User terminates a session. Note Codes 20, 22, 23, 24, 25, 26, 27, and 28 apply to EXEC sessions. 21 Idle-Timeout Timeout waiting for user input. Codes 21, 100, 101, 102, and 120 apply to all session types. 22 Exit-Telnet-Session Disconnect due to exiting Telnet session. 23 No-Remote-IP-Addr Could not switch to SLIP/PPP; the remote end has no IP address. 24 Exit-Raw-TCP Disconnect due to exiting raw TCP. 25 Password-Fail Bad passwords. 26 Raw-TCP-Disabled Raw TCP disabled. 27 Control-C-Detected Control-C detected. 28 EXEC-Process-Destroyed EXEC process destroyed. 40 Timeout-PPP-LCP PPP LCP negotiation timed out. Note Codes 40, 41, 42, 43, 44, 45, and 46 apply to PPP sessions. 41 Failed-PPP-LCP-Negotiation PPP LCP negotiation failed. 42 Failed-PPP-PAP-Auth-Fail PPP PAP authentication failed. 43 Failed-PPP-CHAP-Auth PPP CHAP authentication failed. 44 Failed-PPP-Remote-Auth PPP remote authentication failed. 45 PPP-Remote-Terminate PPP received a Terminate Request from remote end. 46 PPP-Closed-Event Upper layer requested that the session be closed. 63 PPP-Echo-Replies TCP connection has been closed. 100 Session-Timeout Session timed out. 101 Session-Failed-Security Session failed for security reasons. 102 Session-End-Callback Session terminated due to callback. 120 Invalid-Protocol Call refused because the detected protocol is disabled. 600 VPN-User-Disconnect Call disconnected by client (through PPP). Code is sent if the LNS receives a PPP terminate request from the client. 601 VPN-Carrier-Loss Loss of carrier. This can be the result of a physical line going dead. Code is sent when a client is unable to dial out using a dialer. 602 VPN-No-Resources No resources available to handle the call. Code is sent when the client is unable to allocate memory (running low on memory). 7
8 RADIUS Disconnect-Cause Attribute Values Table 3 Disconnect-Cause Attribute Values (continued) Cause Code Value Description 603 VPN-Bad-Control-Packet Bad L2TP or L2F control packets. This code is sent when an invalid control packet, such as missing mandatory Attribute-Value pairs (AVP), from the peer is received. When using L2TP, the code will be sent after six retransmits; when using L2F, the number of retransmits is user configurable. Note VPN-Tunnel-Shut will be sent if there are active sessions in the tunnel. 604 VPN-Admin-Disconnect Administrative disconnect. This can be the result of a VPN soft shutdown, which is when a client reaches maximum session limit or exceeds maximum hopcount. Code is sent when a tunnel is brought down by issuing the clear vpdn tunnel command. 605 VPN-Tunnel-Shut Tunnel teardown or tunnel setup has failed. Code is sent when there are active sessions in a tunnel and the tunnel goes down. Note This code is not sent when tunnel authentication fails. 606 VPN-Local-Disconnect Call is disconnected by LNS PPP module. Code is sent when the LNS sends a PPP terminate request to the client. It indicates a normal PPP disconnection initiated by the LNS. 607 VPN-Session-Limit VPN soft shutdown is enabled. Code is sent when a call has been refused due to any of the soft shutdown restrictions previously mentioned. 611 VPDN-Tunnel-In-Resync VPDN tunnel is in HA resync. 8
9 Additional References Additional References The following sections provide references related to RADIUS Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values. Related Documents Related Topic Cisco IOS commands Security commands Security Features Security Server Protocols RADIUS Configuration Document Title Cisco IOS Master Commands List, All Releases Cisco IOS Security Command Reference Cisco IOS XE Security Configuration Guide: Securing User Services, Release 2 Security Server Protocols section of the Cisco IOS XE Security Configuration Guide: Securing User Services, Release 2 Configuring RADIUS feature module. Standards Standard Internet Engineering Task Force (IETF) Internet Draft: Network Access Servers Requirements Title Network Access Servers Requirements: Extended RADIUS Practices MIBs MIB None. MIBs Link To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: RFCs RFC RFC 2865 Title Remote Authentication Dial In User Service (RADIUS) 9
10 Additional References Technical Assistance Description The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. Link 10
11 Feature Information for Feature Information for RADIUS Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values Table 4 lists the release history for this feature. Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to An account on Cisco.com is not required. Note Table 4 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Table 4 Feature Information for RADIUS Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values Feature Name Releases Feature Information Accounting of VPDN Disconnect Cause Cisco IOS XE This feature was introduced on Cisco ASR 1000 Series Release 2.1 Routers. Vendor-Specific RADIUS Attributes Cisco IOS XE Release 2.1 This document discusses the Internet Engineering Task Force (IETF) draft standard, which specifies a method for communicating vendor-specific information between the network access server and the RADIUS server by using the vendor-specific attribute (attribute 26). Attribute 26 encapsulates vendor specific attributes, thereby, allowing vendors to support their own extended attributes otherwise not suitable for general use. In Cisco IOS XE Release 2.1, this feature was introduced on the Cisco ASR 1000 Series Aggregation Services Routers. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental Cisco Systems, Inc. All rights reserved. 11
12 Feature Information for 12
RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
RADIUS s and RADIUS Disconnect-Cause Values The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network access server
More informationthus, the newly created attribute is accepted if the user accepts attribute 26.
Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the RADIUS
More informationthus, the newly created attribute is accepted if the user accepts attribute 26.
Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the RADIUS
More informationRADIUS Attributes. RADIUS IETF Attributes
Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the RADIUS
More informationConfiguring the Physical Subscriber Line for RADIUS Access and Accounting
Configuring the Physical Subscriber Line for RADIUS Access and Accounting Last Updated: December 5, 2011 Configuring a physical subscriber line for RADIUS Access and Accounting enables an L2TP access concentrator
More informationEncrypted Vendor-Specific Attributes
Encrypted Vendor-Specific Attributes Last Updated: January 15, 2012 The Encrypted Vendor-Specific Attributes feature provides users with a way to centrally manage filters at a RADIUS server and supports
More informationFirewall Authentication Proxy for FTP and Telnet Sessions
Firewall Authentication Proxy for FTP and Telnet Sessions Last Updated: January 18, 2012 Before the introduction of the Firewall Authentication Proxy for FTP and Telnet Sessions feature, users could enable
More informationRADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements
RADIUS Attribute 66 Tunnel-Client-Endpoint The RADIUS Attribute 66 (Tunnel-Client-Endpoint) feature allows the hostname of the network access server (NAS) to be specified--rather than the IP address of
More informationPPPoE Client DDR Idle-Timer
The feature supports the dial-on-demand routing (DDR) interesting traffic control list functionality of the dialer interface with a PPP over Ethernet (PPPoE) client, but also keeps original functionality
More informationQoS: Classification, Policing, and Marking on LAC Configuration Guide, Cisco IOS Release 12.4T
QoS: Classification, Policing, and Marking on LAC Configuration Guide, Cisco IOS Release 12.4T Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com
More informationRADIUS Attributes Overview and RADIUS IETF Attributes
RADIUS Attributes Overview and RADIUS IETF Attributes First Published: March 19, 2001 Last Updated: September 23, 2009 Remote Authentication Dial-In User Service (RADIUS) attributes are used to define
More informationRemote Access MPLS-VPNs
First Published: August 12, 2002 Last Updated: May 4, 2009 The feature allows the service provider to offer a scalable end-to-end Virtual Private Network (VPN) service to remote users. This feature integrates
More informationRADIUS Logical Line ID
The feature, also known as the Logical Line Identification (LLID) Blocking feature enables administrators to track their customers on the basis of the physical lines on which customer calls originate.
More informationRADIUS Tunnel Attribute Extensions
The feature allows a name to be specified (other than the default) for the tunnel initiator and the tunnel terminator in order to establish a higher level of security when setting up VPN tunneling. Finding
More informationImplementing ADSL and Deploying Dial Access for IPv6
Implementing ADSL and Deploying Dial Access for IPv6 Last Updated: July 31, 2012 Finding Feature Information, page 1 Restrictions for Implementing ADSL and Deploying Dial Access for IPv6, page 1 Information
More informationVPDN Tunnel Management
VPDN Tunnel Management Finding Feature Information VPDN Tunnel Management Last Updated: July 22, 2011 This module contains information about managing virtual private dialup network (VPDN) tunnels and monitoring
More informationDHCP Client on WAN Interfaces
DHCP Client on WAN Interfaces First Published: February 25, 2002 Last Updated: September 12, 2008 The DHCP Client on WAN Interfaces feature extends the Dynamic Host Configuration Protocol (DHCP) to allow
More informationConfiguring the Physical Subscriber Line for RADIUS Access and Accounting
Configuring the Physical Subscriber Line for RADIUS Access and Accounting Configuring a physical subscriber line for RADIUS Access and Accounting enables an L2TP access concentrator (LAC) and an L2TP network
More informationRADIUS Packet of Disconnect
First Published: March 19, 2001 Last Updated: October 2, 2009 The feature is used to terminate a connected voice call. Finding Feature Information Your software release may not support all the features
More informationIPsec NAT Transparency
sec NAT Transparency First Published: November 25, 2002 Last Updated: March 1, 2011 The sec NAT Transparency feature introduces support for Security (sec) traffic to travel through Network Address Translation
More informationRADIUS Vendor-Proprietary Attributes
RADIUS Vendor-Proprietary Attributes Last Updated: January 17, 2012 The IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the network access server
More informationEncrypted Vendor-Specific Attributes
The feature provides users with a way to centrally manage filters at a RADIUS server and supports the following types of string vendor-specific attributes (VSAs): Tagged String VSA, on page 2 (similar
More informationConfiguring RADIUS. Finding Feature Information. Prerequisites for RADIUS
The RADIUS security system is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco devices and send authentication
More informationPPPoE Session Limit per NAS Port
PPPoE Session Limit per NAS Port First Published: March 17, 2003 Last Updated: February 28, 2006 The PPPoE Session Limit per NAS Port feature enables you to limit the number of PPP over Ethernet (PPPoE)
More informationRADIUS Tunnel Preference for Load Balancing
RADIUS Tunnel Preference for Load Balancing and Fail-Over Finding Feature Information RADIUS Tunnel Preference for Load Balancing and Fail-Over Last Updated: July 18, 2011 The RADIUS Tunnel Preference
More informationConfiguring Template ACLs
Configuring Template ACLs First Published: June 19, 2009 Last Updated: June 19, 2009 When user profiles are configured using RADIUS Attribute 242 or vendor-specific attribute (VSA) Cisco-AVPairs, similar
More informationConfiguring RADIUS. Finding Feature Information. Prerequisites for RADIUS. Last Updated: November 2, 2012
Configuring RADIUS Last Updated: November 2, 2012 The RADIUS security system is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS
More informationRADIUS Attributes Overview and RADIUS IETF Attributes
RADIUS Attributes Overview and RADIUS IETF Attributes Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements
More information802.1P CoS Bit Set for PPP and PPPoE Control Frames
802.1P CoS Bit Set for PPP and PPPoE Control The 802.1P CoS Bit Set for PPP and PPPoE Control feature provides the ability to set user priority bits in the IEEE 802.1Q tagged frame to allow traffic prioritization.
More informationDHCP Server RADIUS Proxy
The Dynamic Host Configuration Protocol (DHCP) Server RADIUS Proxy is a RADIUS-based address assignment mechanism in which a DHCP server authorizes remote clients and allocates addresses based on replies
More informationRADIUS Configuration Guide Cisco IOS XE Release 2
RADIUS Configuration Guide Cisco IOS XE Release 2 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
More informationMPLS LDP Autoconfiguration
First Published: November 8, 2004 Last Updated: November 25, 2009 The feature enables you to globally configure Label Distribution Protocol (LDP) on every interface associated with a specified Interior
More informationQoS: Child Service Policy for Priority Class
QoS: Child Service Policy for Priority Class First Published: November, 2006 Last Updated: March 2, 2009 The QoS: Child Service Policy for Priority Class feature allows you to configure a child service
More informationConfiguring Scalable Hub-and-Spoke MPLS VPNs
Configuring Scalable Hub-and-Spoke MPLS VPNs Last Updated: December 15, 2011 This module explains how to ensure that virtual private network (VPN) clients that connect to the same provider edge (PE) router
More informationRADIUS Route Download
The feature allows users to configure their network access server (NAS) to direct RADIUS authorization. Finding Feature Information, page 1 Prerequisites for, page 1 Information About, page 1 How to Configure,
More informationSIP Gateway Support for the bind Command
SIP Gateway Support for the bind Command Last Updated: December 16, 2011 The Gateway Support for the bind Command feature introduces the bind command, which allows you to configure the source IP address
More informationProviding Connectivity Using ATM Routed Bridge Encapsulation over PVCs
Providing Connectivity Using ATM Routed Bridge Encapsulation over PVCs Last Updated: December 5, 2011 The Providing Connectivity Using ATM Routed Bridge Encapsulation over PVCs feature provides the functionality
More informationImplementing Traffic Filters for IPv6 Security
Implementing Traffic Filters for IPv6 Security Last Updated: November 14, 2011 This module describes how to configure Cisco IOS XE IPv6 traffic filter and firewall features for your Cisco networking devices.
More informationHTTP 1.1 Web Server and Client
HTTP 1.1 Web Server and Client Finding Feature Information HTTP 1.1 Web Server and Client Last Updated: June 01, 2011 The HTTP 1.1 Web Server and Client feature provides a consistent interface for users
More informationProviding Connectivity Using ATM Routed Bridge Encapsulation over PVCs
Providing Connectivity Using ATM Routed Bridge Encapsulation over PVCs First Published: May 2, 2005 Last Updated: November 24, 2010 The Providing Connectivity Using ATM Routed Bridge Encapsulation over
More informationvirtual-template virtual-template template-number no virtual-template Syntax Description
VPDN Commands virtual-template virtual-template To specify which virtual template will be used to clone virtual access interfaces (VAI), use the virtual-template command in BBA group configuration mode
More informationFinding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images
First Published: March 20, 2006 Last Updated: March 22, 2011 The feature is one of two features bundled with the QoS: Broadband Aggregation Enhancements Phase 1 feature. The feature provides the ability
More informationConfiguring L2TP HA Session SSO ISSU on a
Configuring L2TP HA Session SSO ISSU on a LAC LNS Finding Feature Information Configuring L2TP HA Session SSO ISSU on a LAC LNS Last Updated: July 22, 2011 The L2TP HA Session SSO/ISSU on a LAC/LNS feature
More informationRADIUS Configuration Guide, Cisco IOS XE Everest (Cisco ASR 900 Series)
RADIUS Configuration Guide, Cisco IOS XE Everest 16.5.1 (Cisco ASR 900 Series) Configuring RADIUS 2 Finding Feature Information 2 Prerequisites for RADIUS 2 Information About RADIUS 2 How to Configure
More informationThe MSCHAP Version 2 feature (introduced in Cisco IOS Release 12.2(2)XB5) allows Cisco routers to
The feature (introduced in Cisco IOS Release 12.2(2)XB5) allows Cisco routers to utilize Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAP V2) authentication for PPP connections between
More informationProxy Mobile IPv6 Support for MAG Functionality
Proxy Mobile IPv6 Support for MAG Functionality First Published: July 22, 2011 Last Updated: July 22, 2011 The Proxy Mobile IPv6 Support for MAG Functionality feature provides network-based IP Mobility
More informationInspection of Router-Generated Traffic
Inspection of Router-Generated Traffic The Inspection of Router-Generated Traffic feature allows Context-Based Access Control (CBAC) to inspect traffic that is originated by or destined to the router on
More informationBroadband Scalability and Performance
The infrastructure of a service provider must be capable of supporting the services that an enterprise customer or Internet service provider (ISP) wants to offer its subscribers. The service provider must
More informationHTTP 1.1 Web Server and Client
HTTP 1.1 Web Server and Client Last Updated: October 12, 2011 The HTTP 1.1 Web Server and Client feature provides a consistent interface for users and applications by implementing support for HTTP 1.1
More informationRADIUS Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 920 Series)
RADIUS Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 920 Series) Configuring RADIUS 2 Finding Feature Information 2 Prerequisites for RADIUS 2 Information About RADIUS 2 How to Configure RADIUS
More informationRADIUS Attributes Configuration Guide
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION
More informationConfiguring ISG Support for Prepaid Billing
Configuring ISG Support for Prepaid Billing Last Updated: December 19, 2012 Intelligent Services Gateway (ISG) is a Cisco IOS software feature set that provides a structured framework in which edge devices
More informationConfiguring MAC Authentication Bypass
Configuring MAC Authentication Bypass Last Updated: January 18, 2012 The MAC Authentication Bypass feature is a MAC-address-based authentication mechanism that allows clients in a network to integrate
More informationContextual Configuration Diff Utility
Contextual Configuration Diff Utility Last Updated: November 29, 2011 The Contextual Configuration Diff Utility feature provides the ability to perform a line-by-line comparison of any two configuration
More informationConfiguring IP Multicast over Unidirectional Links
Configuring IP Multicast over Unidirectional Links Last Updated: December 16, 2011 IP multicast requires bidirectional communication, yet some networks include broadcast satellite links, which are unidirectional.
More informationBGP Policy Accounting Output Interface Accounting
BGP Policy Accounting Output Interface Accounting Last Updated: November 2, 2011 Border Gateway Protocol (BGP) policy accounting (PA) measures and classifies IP traffic that is sent to, or received from,
More informationBGP Event-Based VPN Import
BGP Event-Based VPN Import Last Updated: April 13, 2012 The BGP Event-Based VPN Import feature introduces a modification to the existing Border Gateway Protocol (BGP) path import process. The enhanced
More informationAutosense for ATM PVCs and MUX SNAP Encapsulation
Autosense for ATM PVCs and MUX SNAP Encapsulation The PPPoA/PPPoE Autosense for ATM PVCs feature enables a router to distinguish between incoming PPP over ATM (PPPoA) and PPP over Ethernet (PPPoE) over
More informationExpires Timer Reset on Receiving or Sending SIP 183 Message
Expires Timer Reset on Receiving or Sending SIP 183 Message Last Updated: December 20, 2011 This feature enables support for resetting the Expires timer when receiving or sending SIP 183 messages on Cisco
More informationRedirecting Subscriber Traffic Using ISG Layer
Redirecting Subscriber Traffic Using ISG Layer 4 Redirect Finding Feature Information Redirecting Subscriber Traffic Using ISG Layer 4 Redirect Last Updated: August 21, 2011 Intelligent Services Gateway
More informationTo use DNS, you must have a DNS name server on your network.
Configuring DNS Last Updated: December 15, 2011 The Domain Name System (DNS) is a distributed database in which you can map host names to IP addresses through the DNS protocol from a DNS server. Each unique
More informationConfiguring RADIUS-Based Policing
Configuring RADIUS-Based Policing Finding Feature Information Configuring RADIUS-Based Policing Last Updated: August 21, 2011 The RADIUS-Based Policing feature enables Intelligent Services Gateway (ISG)
More informationTACACS+ Configuration Guide, Cisco IOS XE Release 3S
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION
More informationConfiguring Secure Shell
Configuring Secure Shell Last Updated: October 24, 2011 The Secure Shell (SSH) feature is an application and a protocol that provides a secure replacement to the Berkeley r-tools. The protocol secures
More informationLogging to Local Nonvolatile Storage (ATA Disk)
Logging to Local Nonvolatile Storage (ATA Last Updated: October 12, 2011 The Logging to Local Nonvolatile Storage (ATA feature enables system logging messages to be saved on an advanced technology attachment
More informationThis feature was introduced. This feature was integrated into Cisco IOS Release 12.2(27)SBA.
PPPoE Relay The PPPoE Relay feature enables an L2TP access concentrator (LAC) to relay active discovery and service selection functionality for PPP over Ethernet (PPPoE), over a Layer 2 Tunneling Protocol
More informationConfiguring DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon
Configuring DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon Intelligent Services Gateway (ISG) is a Cisco software feature set that provides a structured framework in which
More informationNetflow v9 for IPv6. Finding Feature Information. Prerequisites for Netflow v9 for IPv6. Information About Netflow v9 for IPv6
Netflow v9 for IPv6 Last Updated: July 31, 2012 This module contains information about and instructions for configuring NetFlow and NetFlow Data Export (NDE) for capturing and exporting data from IP version
More informationLocal Template-Based ATM PVC Provisioning
Local Template-Based ATM PVC Provisioning Last Updated: August 29, 2012 The Local Template-Based ATM Provisioning feature enables ATM permanent virtual circuits (PVCs) to be provisioned automatically as
More informationFirewall Stateful Inspection of ICMP
Firewall Stateful Inspection of ICMP Last Updated: March 26, 2012 The Firewall Stateful Inspection of ICMP feature addresses the limitation of qualifying Internet Control Management Protocol (ICMP) messages
More informationUsing NetFlow Sampling to Select the Network Traffic to Track
Using NetFlow Sampling to Select the Network Traffic to Track Last Updated: September 17, 2012 This module contains information about and instructions for selecting the network traffic to track through
More informationIP Routing: ODR Configuration Guide, Cisco IOS Release 15M&T
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION
More informationCPU Thresholding Notification
CPU Thresholding Notification Last Updated: October 10, 2011 The CPU Thresholding Notification feature notifies users when a predefined threshold of CPU usage is crossed by generating a Simple Network
More informationDefine Interface Policy-Map AV Pairs AAA
First Published: November 11, 2004 Last Published: July 29, 2009 The feature introduces two Cisco RADIUS vendor-specific attributes (VSAs) that allow a new policy map to be applied or an existing policy
More informationCisco Prime Optical 9.5 Basic External Authentication
Cisco Prime Optical 9.5 Basic External Authentication June 6, 2012 This document describes the basic external authentication functionality in Cisco Prime Optical 9.5 running on a Solaris server. External
More informationRSVP Interface-Based Receiver Proxy
RSVP Interface-Based Receiver Proxy Last Updated: January 15, 2013 The RSVP Interface-Based Receiver Proxy feature lets you configure a proxy device by outbound interface instead of configuring a destination
More informationIPsec NAT Transparency
The feature introduces support for IP Security (IPsec) traffic to travel through Network Address Translation (NAT) or Port Address Translation (PAT) points in the network by addressing many known incompatibilities
More informationConfiguring NAS-Initiated Dial-In VPDN Tunneling
Configuring NAS-Initiated Dial-In VPDN Tunneling Network access server (NAS)-initiated dial-in tunneling provides secure tunneling of a PPP session from a NAS to a tunnel server without any special knowledge
More informationConfiguring Authorization
The AAA authorization feature is used to determine what a user can and cannot do. When AAA authorization is enabled, the network access server uses information retrieved from the user s profile, which
More informationSIP RFC 2782 Compliance with DNS SRV Queries
SIP RFC 2782 Compliance with DNS SRV Last Updated: December 21, 2011 Effective with Cisco IOS XE Release 2.5, the Domain Name System Server (DNS SRV) query used to determine the IP address of the user
More informationConfiguring ISG Policies for Automatic Subscriber Logon
Configuring ISG Policies for Automatic Subscriber Logon Intelligent Services Gateway (ISG) is a software feature set that provides a structured framework in which edge devices can deliver flexible and
More informationRADIUS Tunnel Preference for Load Balancing and Fail-Over
RADIUS Tunnel Preference for Load Balancing and Fail-Over Feature History for RADIUS Tunnel Preference for Load Balancing and Fail-Over Release Modification 12.2(4)T This feature was introduced. 12.2(11)T
More informationAutosense of MUX/SNAP Encapsulation and PPPoA/PPPoE on ATM PVCs
Autosense of MUX/SNAP Encapsulation and PPPoA/PPPoE on ATM PVCs Feature History for Autosense of MUX/SNAP Encapsulation and PPPoA/PPPoE on ATM PVCs Release Modification 12.2(15)B This feature was introduced.
More informationPPPoE Service Selection
PPPoE Service Selection The PPPoE Service Selection feature uses service tags to enable a PPP over Ethernet (PPPoE) server to offer PPPoE clients a selection of services during call setup. The customer
More informationPPPoE Session Limits per NAS Port
PPPoE Session Limits per NAS Port The PPPoE Session Limit per NAS Port feature enables you to limit the number of PPP over Ethernet (PPPoE) sessions on a specific permanent virtual circuit (PVC) or VLAN
More informationApplication Firewall-Instant Message Traffic Enforcement
Application Firewall-Instant Message Traffic Enforcement Last Updated: September 24, 2012 The Application Firewall--Instant Message Traffic Enforcement feature enables users to define and enforce a policy
More informationCisco IOS VPDN Command Reference
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION
More informationVPDN LNS Address Checking
First Published: Sept. 30, 2007 Last Updated: Aug. 28, 2008 The feature allows a Layer 2 Tunnel Protocol (L2TP) Access Concentrator (LAC), that is receiving data from an L2TP Network Server (LNS) to check
More informationBroadband Access Aggregation and DSL Configuration Guide, Cisco IOS XE Release 3S
Broadband Access Aggregation and DSL Configuration Guide, Cisco IOS XE Release 3S Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408
More informationConfiguring Security for the ML-Series Card
19 CHAPTER Configuring Security for the ML-Series Card This chapter describes the security features of the ML-Series card. This chapter includes the following major sections: Understanding Security, page
More informationImplementing Multicast Service Reflection
Implementing Multicast Service Reflection First Published: September 22, 2006 Last Updated: June 4, 2010 The Cisco Multicast Service Reflection feature provides the capability for users to translate externally
More informationIP Addressing: Fragmentation and Reassembly Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)
IP Addressing: Fragmentation and Reassembly Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000) Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com
More informationIP Overlapping Address Pools
The feature improves flexibility in assigning IP addresses dynamically. This feature allows you to configure overlapping IP address pool groups to create different address spaces and concurrently use the
More informationPPPoE on ATM. Finding Feature Information. Prerequisites for PPPoE on ATM. Restrictions for PPPoE on ATM
This feature module describes the PPP over Ethernet (PPPoE) on ATM feature. The feature provides the ability to connect a network of hosts over a simple bridging-access device to a remote access concentrator.
More informationUsing Cisco Discovery Protocol
Using Cisco Discovery Protocol First Published: February 1, 1995 Last Updated: August 12, 2010 Cisco Discovery Protocol (CDP) is a Layer 2 media-independent and network-independent protocol that runs on
More informationRADIUS Attributes. In This Appendix. RADIUS Attributes Overview. IETF Attributes Versus VSAs
RADIUS Attributes Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting elements in a user profile, which is stored on
More informationMPLS VPN over mgre. Finding Feature Information. Last Updated: November 1, 2012
MPLS VPN over mgre Last Updated: November 1, 2012 The MPLS VPN over mgre feature overcomes the requirement that a carrier support multiprotocol label switching (MPLS) by allowing you to provide MPLS connectivity
More informationPer VRF AAA. Finding Feature Information. Last Updated: January 18, 2012
Per VRF AAA Last Updated: January 18, 2012 The Per VRF AAA feature allows ISPs to partition authentication, authorization, and accounting (AAA) services on the basis of Virtual Private Network (VPN) routing
More informationCreating an IP Access List to Filter IP Options, TCP Flags, or Noncontiguous Ports
Creating an IP Access List to Filter IP Options, TCP Flags, or Noncontiguous Ports First Published: August 18, 2006 Last Updated: July 31, 2009 This module describes how to use an IP access list to filter
More informationAToM Graceful Restart
AToM Graceful Restart Last Updated: November 29, 2011 The AToM Graceful Restart feature assists neighboring routers that have nonstop forwarding (NSF), stateful switchover (SSO) and graceful restart (GR)
More information